Skip to content

Event Search Processing Rule #5

New issue
New issue
Open
Open
Event Search Processing Rule#5
Assignees
dogoncouch
Labels
enhancementNew feature or request
@dogoncouch

Description

@dogoncouch
dogoncouch
opened on Apr 2, 2018

Feature Idea

ESP rule - triggered by chain of events in a specific order.

Rule Needs

  • Event chain specifics - use standard ESP language:
RuleEvent.source_rule_name=RULENAME FOLLOWED BY
LogEvent.source_host=X.X.X.X AND LogEvent.log_source=LOGSOURCE
FOLLOWED BY RuleEvent.source_rule_name=RULENAME
  • Time range to check
  • Check interval

Logic

  1. Convert ESP language to list of dictionaries
  2. Get events in time interval (work on making this more efficient later)
  3. Check events in reverse, comparing to reversed list of dictionaries
  4. Create rule event if sequence is matched

Metadata

Metadata

Assignees

Labels

enhancementNew feature or request

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions